From 3b70ddeaaf2ddf0c07c4c328beeaa80e94a514c6 Mon Sep 17 00:00:00 2001 From: richard Date: Mon, 16 Mar 2009 04:16:43 +0000 Subject: [PATCH] fix bug introduced into CVS export and view (issue 2550529) git-svn-id: http://svn.roundup-tracker.org/svnroot/roundup/roundup/trunk@4204 57a73879-2fb5-44c3-a270-3262357dd7e2 --- CHANGES.txt | 6 +++ roundup/cgi/actions.py | 2 +- roundup/cgi/templating.py | 1 - .../templates/classic/html/user.index.html | 2 +- test/test_cgi.py | 37 +++++++++++++++++-- 5 files changed, 41 insertions(+), 7 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index a139736..0072ce3 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -1,6 +1,12 @@ This file contains the changes to the Roundup system over time. The entries are given with the most recent entry first. +2009-03-?? 1.4.8 + +Fixes: +- bug introduced into CVS export and view + + 2009-03-13 1.4.7 (r4202) Features: diff --git a/roundup/cgi/actions.py b/roundup/cgi/actions.py index fc2d5c7..425dec2 100755 --- a/roundup/cgi/actions.py +++ b/roundup/cgi/actions.py @@ -1041,7 +1041,7 @@ class ExportCSVAction(Action): row = [] for name in columns: # check permission to view this property on this item - if exists and not self.hasPermission('View', itemid=itemid, + if not self.hasPermission('View', itemid=itemid, classname=request.classname, property=name): raise exceptions.Unauthorised, self._( 'You do not have permission to view %(class)s' diff --git a/roundup/cgi/templating.py b/roundup/cgi/templating.py index 9cccd2d..17912c6 100644 --- a/roundup/cgi/templating.py +++ b/roundup/cgi/templating.py @@ -624,7 +624,6 @@ class HTMLClass(HTMLInputMixin, HTMLPermissions): classname=self._klass.classname, property=name): raise Unauthorised('view', self._klass.classname, translator=self._client.translator) - row.append(str(klass.get(itemid, name))) value = self._klass.get(nodeid, name) if value is None: l.append('') diff --git a/share/roundup/templates/classic/html/user.index.html b/share/roundup/templates/classic/html/user.index.html index cdee70c..1a72a51 100644 --- a/share/roundup/templates/classic/html/user.index.html +++ b/share/roundup/templates/classic/html/user.index.html @@ -34,7 +34,7 @@     -
diff --git a/test/test_cgi.py b/test/test_cgi.py index f09bace..cfccae8 100644 --- a/test/test_cgi.py +++ b/test/test_cgi.py @@ -10,7 +10,7 @@ # # $Id: test_cgi.py,v 1.36 2008-08-07 06:12:57 richard Exp $ -import unittest, os, shutil, errno, sys, difflib, cgi, re +import unittest, os, shutil, errno, sys, difflib, cgi, re, StringIO from roundup.cgi import client, actions, exceptions from roundup.cgi.exceptions import FormError @@ -18,6 +18,8 @@ from roundup.cgi.templating import HTMLItem from roundup.cgi.form_parser import FormParser from roundup import init, instance, password, hyperdb, date +from mocknull import MockNull + import db_test_base NEEDS_INSTANCE = 1 @@ -614,13 +616,13 @@ class FormTestCase(unittest.TestCase): # SECURITY # # XXX test all default permissions - def _make_client(self, form, classname='user', nodeid='2', userid='2'): + def _make_client(self, form, classname='user', nodeid='1', userid='2'): cl = client.Client(self.instance, None, {'PATH_INFO':'/', 'REQUEST_METHOD':'POST'}, makeForm(form)) cl.classname = 'user' - cl.nodeid = '1' + cl.nodeid = nodeid cl.db = self.db - cl.userid = '2' + cl.userid = userid cl.language = ('en',) return cl @@ -646,6 +648,33 @@ class FormTestCase(unittest.TestCase): self.failUnlessRaises(exceptions.Unauthorised, actions.EditItemAction(cl).handle) + def testCSVExport(self): + cl = self._make_client({'@columns': 'id,name'}, nodeid=None, + userid='1') + cl.classname = 'status' + output = StringIO.StringIO() + cl.request = MockNull() + cl.request.wfile = output + actions.ExportCSVAction(cl).handle() + self.assertEquals('id,name\r\n1,unread\r\n2,deferred\r\n3,chatting\r\n' + '4,need-eg\r\n5,in-progress\r\n6,testing\r\n7,done-cbb\r\n' + '8,resolved\r\n', + output.getvalue()) + + def testCSVExportFailPermission(self): + cl = self._make_client({'@columns': 'id,email,password'}, nodeid=None, + userid='2') + cl.classname = 'user' + output = StringIO.StringIO() + cl.request = MockNull() + cl.request.wfile = output + self.assertRaises(exceptions.Unauthorised, + actions.ExportCSVAction(cl).handle) + + +def test_suite(): + suite = unittest.TestSuite() + def test_suite(): suite = unittest.TestSuite() suite.addTest(unittest.makeSuite(FormTestCase)) -- 2.30.2